Melanie Haga, Back Thru the Future
Soapbox

Medical Devices: Is There Life After Death?

By Melanie J. Haga
Melanie Haga, Back Thru the Future

Regardless of the reason for disposing of a medical device or other electronic equipment, the product must be destroyed in a manner in which it can never be reused or identified as coming from your organization. In addition, the resulting materials from the destruction process be disposed of in an environmentally appropriate and regulatory compliant manner.

Medical devices—is there life after death? It’s probably not the type of question that one thinks of as it pertains to medical devices. Or even office equipment. But all electronic equipment, computers, fax machines, lab equipment, phones, copiers, monitoring equipment, scanners, and anything else with a hard drive, does have a life after it is no longer in use.

That’s a problem.

Technical Intelligence is Everywhere

Because technology is constantly evolving and improving, electronic equipment has become smarter, more powerful, smaller and less expensive. Logging in to a device to automate tasks, store and retrieve data, and provide a customized experience with your personal preferences is easy. From medical devices to office machines, the functionality of is contained on tiny circuitry—and in most cases so is patient data, correspondence, passwords, billing information, accounting records, network information, scanned document images, and other sensitive information.

Even your bathroom scale probably knows things about you that other people don’t.

What Happens to Equipment When It’s Gone?

Once the lifespan of office equipment and medical devices ends, there are a few paths that the equipment can take. While some corporations have closets filled with old hard drives, broken laptops, and outdated phone systems, many medical device manufacturers, distributors, and end users are turning towards re-use as an environmentally sound option for their discarded medical equipment.

It can be a good option. Non-invasive medical equipment can easily be re-sold and re-used by the next owner, who often reaps the benefit of paying less than the cost of new. Blood pressure cuffs, lab furniture, stainless steel items, cables, and shielding can work simply fine, long after they have been replaced with newer items by the original owner.

Corporations, manufacturers, laboratories, health systems and educational facilities face a huge challenge when disposing of electronic equipment that has any type of memory, however. All sensitive data must be securely removed before recycling, reusing or reselling. Patient data, research data, financial records, names, dates, and location can reside in obsolete medical devices and laboratory equipment. The data remains intact as long as that equipment can still be taken apart and accessed—that includes imaging equipment, scanning devices, test equipment, sonography equipment, personal medical devices, personal equipment, computers, servers, tablets, printers, fax machines, mobile phones, portable hard drives, CDs, and back up devices.

Most recycling/resale companies claim to wipe all of their customer’s important data before it is thrown away, recycled, or resold.

But What If It’s Not?

According to the 2018 Cost of a Data Breach Study conducted by the Ponemon Institute and IBM Security, the average cost of a data breach of up to 100,000 records is approximately $3.86 million.

News about cyber hacks is fairly common but the less publicized problem of data breaches brought on by misinformed original owners still exists. In 2010, photocopiers that were used to copy sensitive medical information were sent to be re-sold without wiping the hard drives. Three hundred pages of individual medical records, containing drug prescription and blood test results were still on the hard drive of the copiers sitting in a warehouse for resale. The U.S. Department of Health and Human Services settled with original owner of the copiers for HIPAA violations to the tune of $1,215,780.

Following this news, CBS News purchased two photocopiers from an office equipment reseller, and discovered that the copiers were still loaded with confidential documents from its original owner—a Buffalo, New York police department. In 2015, a computer at Loyola University that contained names, Social Security numbers, and financial information for 5800 students was disposed of before the hard drive was wiped.

One of the biggest dangers that a data breach of any size can affect is a loss of trust. If the media picked up a news story about your device being resold with recoverable patient data or research data, the resulting press could be a nightmare. Even a small medical practice or lab can face fines and law suits if data gets released or lost.

Recycling: The End of the Road?

So that’s it. At the end of its life, you’ll recycle your equipment and that will be the end of it, right?

Wrong.

Many recyclers try to recoup the value of electronic waste by improperly salvaging parts and selling them outside of contracted terms. Often recyclers will merely “delete” data rather than erasing or overwriting it, raising the possibility that a hacker could recover proprietary company data. In 2019, financial institution Morgan Stanley hired a vendor to scrub devices from two data centers that closed in 2016, but the vendor had left some client data on the devices. Some of those servers and hardware were then sold to recyclers and are now missing.

Recycling and the Environment

There’s actually another potential risk with recycling. Currently, 25 states require that all devices with electronic circuitry be recycled by qualified electronic recyclers and not end up in a landfill. Besides the potential problem of a data breach, the fines for improper disposal of electronic equipment are huge. According to a 2018 article in E-scrap News, The Home Depot was fined $28 million for improper disposal of batteries. Comcast has agreed to pay California $25 million for improper disposal of mainly electronic waste.

In 2015, the non-profit group, Basel Action Network (BAN) investigated electronic waste recyclers by embedding GPS trackers in devices left at recycling companies. Some of those secret devices, still inside equipment with personal data on them, got stored in warehouses and made their way overseas for improper dismantling and smelting.

Electronic waste contains mercury, lead, cadmium, polybrominated flame retardants, barium, and lithium, while the plastic casings contain polyvinyl chloride. The health effects of electronic waste being melted down in China and India, where it is often sent by recyclers, includes birth defects, and damage to the brain, heart, liver, kidneys, nervous system and reproductive system.

Electronic Afterlife: A Permanent Solution

Knowing that the sensitive information contained on the circuit boards could be easily recovered if your devices got into the wrong hands, it is imperative that the chips themselves be destroyed. Destroying obsolete and defective devices protects your business, your reputation, and your accounts.

HIPAA compliance requires that a 3rd party providing Electronic protected health information (ePHI) destruction services must be a contracted “HIPAA Business Associate” This agreement requires that a third party handle your ePHI with the same care and protection that your organization provides. The specific requirements for the physical handling of data media is outlined by The Office of the National Coordinator for Health Information Technology in its Security Risk Assessment Tool.

Choosing a Vendor for Device Destruction

No matter what the reason for disposing of medical and other electronic devices, you need to meet two primary objectives: Your product is destroyed in such a manner that it can never be reused or identified as coming from your organization and the resulting materials from the destruction process be disposed of in an environmentally appropriate and regulatory compliant manner.

De-manufacturing of your devices accomplishes three important destruction objectives.

  1. The circuit boards are removed for specialized handling, shredding and recycling.
  2. Batteries are removed for separate environmentally required recycling.
  3. Other materials such as plastics and metals are separated for further specialized recycling.

Shredding the circuit boards assures that nothing short of a laboratory-based reconstruction effort could ever recover your proprietary information. Shredding should be performed in a highly secure environment. The shredded particles should then sent to precious metal refining facilities where the shredded material is smelted and the valuable metals recovered. By using a U.S. EPA Universal Waste Destination facility for Electronics, this recycling process assures you that all proprietary information is destroyed.

When choosing an electronic waste disposal vendor, look for one that is a Federal EPA licensed facility, ISO 9001,14001 and 45001 certified and R2 (Responsible Recycling) certified. They should provide you with detailed certificates of destruction for all devices, by serial number. Compliance documentation, including secure tracking information should be available to you 24/7/365 as well.

By performing vendor due diligence to ensure that your devices are properly de-manufactured and destroyed, you will eliminate the unauthorized and uncontrolled re-marketing of your devices, destroy all sensitive data that may be on the circuitry, and comply with all regulatory and industry environmental standards for disposal.

That’s the only way to get an absolute guarantee that your devices have no more life left in them.

About The Author

Melanie Haga, Back Thru the Future